Channels

Services

Vulnerabilities in Firefox and Internet Explorer

Browser security specialist Michal Zalewski has struck again. Four online demos illustrate previously unknown vulnerabilities in Internet Explorer 6 and 7 and Firefox 2.0. A race condition when navigating to a new web page can be exploited to confuse Internet Explorer's domain policy, which usually prevents a web page from domain A from accessing content of a web page originating from domain B.

Zalewski was able to get around this restriction using JavaScript. The demo is, however, a little flaky - according to the description, network timing, for example, is a factor in exploitation. Nevertheless, the demo did succeed in reading a Google cookie after a long test duration. It is apparently also possible to manipulate form data in other web pages. In Zalewski's opinion, this undermines the entire Internet Explorer security model.

The second demo demonstrates how a malicious web page opened in Firefox can read keyboard input to another open web page. According to the description, the cause of the problems is that IFRAMES can be replaced using the document.write() method. The problem has been known about since 2006, but has been only partly resolved.

A third demo illustrates how a system can be spied upon using a vulnerability in Firefox. A type of mini game tries to get the user to press the return key at specific moments. In doing so the user is actually confirming an invisible security message box to enable the exploit to read the content of the root directory. In principle this could also be used to download or run files.

Finally Zalewski presents a problem in Internet Explorer 6, which can be exploited to spoof the address bar. However this demo is also extremely flaky and failed to work in tests by the heise Security editorial team.

On top of all this, Thor Larholm has reported another vulnerability in Firefox 2.0.0.4, which likewise allows files to be read on Windows or Unix systems. To exploit this it is sufficient to enter a URL with a specific resource://-protocol-handler.